# tfsec — Static Security Scanner for Terraform Code > Catch security misconfigurations in Terraform before they reach production. tfsec scans HCL files for hundreds of cloud security rules across AWS, Azure, and GCP with zero configuration. ## Install Save as a script file and run: # tfsec — Static Security Scanner for Terraform Code ## Quick Use ```bash # Install brew install tfsec # Or via Go go install github.com/aquasecurity/tfsec/cmd/tfsec@latest # Scan current directory tfsec . # Output as JSON for CI integration tfsec . --format json ``` ## Introduction tfsec is a static analysis security scanner for Terraform code developed by Aqua Security. It inspects HCL files and Terraform plan JSON for security misconfigurations before infrastructure is provisioned. With 350+ built-in rules covering AWS, Azure, GCP, and Kubernetes resources, it catches issues like public S3 buckets, unencrypted databases, and overly permissive security groups during development rather than after deployment. ## What tfsec Does - Scans Terraform HCL files for security misconfigurations without running `terraform plan` - Checks 350+ built-in rules across AWS, Azure, GCP, DigitalOcean, and Kubernetes providers - Resolves Terraform variables, locals, and module references for accurate analysis - Integrates into CI/CD pipelines with JUnit, JSON, SARIF, and CSV output formats - Supports custom rules via YAML or Rego policies for organization-specific standards ## Architecture Overview tfsec parses HCL files into an AST, resolves variable references and module sources, then evaluates each resource block against a rule registry. Rules are Go functions that inspect resource attributes and return pass/fail results with severity levels. The scanner follows module references locally and from the Terraform registry. Results include the file, line number, rule ID, severity, and a remediation link. It runs entirely offline with no cloud API calls. ## Self-Hosting & Configuration - Install via Homebrew, apt, Go install, or download prebuilt binaries from GitHub releases - Run `tfsec .` in any directory containing `.tf` files — no configuration required - Exclude rules with inline comments `#tfsec:ignore:aws-s3-enable-versioning` or a `.tfsec` config - Add custom rules in `.tfsec/` directory using YAML definitions or Rego policies - Integrate with GitHub Actions, GitLab CI, or pre-commit hooks for automated scanning ## Key Features - Zero-config scanning: point at a directory and get results in seconds - Resolves Terraform expressions, variables, and locals for accurate context-aware checks - Severity levels (CRITICAL, HIGH, MEDIUM, LOW) help prioritize remediation efforts - SARIF output integrates with GitHub Advanced Security code scanning alerts - Supports scanning Terraform plan JSON for post-plan validation in CI pipelines ## Comparison with Similar Tools - **Checkov** — Python-based with broader IaC support; tfsec is faster and Terraform-focused - **Trivy** — tfsec is now integrated into Trivy; standalone tfsec is simpler for Terraform-only - **Terrascan** — OPA-based policies; tfsec has more Terraform-specific built-in rules - **Snyk IaC** — commercial SaaS; tfsec is fully open source and runs offline ## FAQ **Q: Is tfsec still maintained separately from Trivy?** A: tfsec's rule engine is now embedded in Trivy, but the standalone tfsec CLI is still maintained for users who want a focused Terraform scanner. **Q: Does tfsec need Terraform installed?** A: No. tfsec parses HCL directly and does not invoke `terraform init` or `terraform plan`. **Q: Can I suppress false positives?** A: Yes. Add `#tfsec:ignore:RULE_ID` as an inline comment above the resource, or use a `.tfsec/config.yml` to exclude rules globally. **Q: Does it support Terraform modules?** A: Yes. tfsec resolves local modules and public registry modules to analyze the full resource graph. ## Sources - https://github.com/aquasecurity/tfsec - https://aquasecurity.github.io/tfsec/ --- Source: https://tokrepo.com/en/workflows/b9dd698f-3939-11f1-9bc6-00163e2b0d79 Author: Script Depot